Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

feat: remove use of domain-wide delegation #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 26, 2021
Merged

feat: remove use of domain-wide delegation #34

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
680be65
Remove domain-wide delegation
jackwotherspoon Oct 26, 2021
feb8b62
Update based on feedback
jackwotherspoon Oct 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 8 additions & 17 deletions 25 app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,24 +431,22 @@ async def get_users_with_roles(role_service, group_names):
return role_grants


def delegated_credentials(creds, scopes, admin_user=None):
def get_credentials(creds, scopes):
"""Update default credentials.

Based on scopes and domain delegation, update OAuth2 default credentials
Based on scopes, update OAuth2 default credentials
accordingly.

Args:
creds: Default OAuth2 credentials.
scopes: List of scopes for the credentials to limit access.
admin_user: Email of admin user, required for domain delegation credentials.

Returns:
updated_credentials: Updated OAuth2 credentials with scopes and domain
delegation applied.
updated_credentials: Updated OAuth2 credentials with scopes applied.
"""
try:
# First try to update credentials using service account key file
updated_credentials = creds.with_subject(admin_user).with_scopes(scopes)
updated_credentials = creds.with_scopes(scopes)
# if not valid refresh credentials
if not updated_credentials.valid:
request = Request()
Expand All @@ -460,7 +458,7 @@ def delegated_credentials(creds, scopes, admin_user=None):
service_acccount_email = creds.service_account_email
signer = iam.Signer(request, creds, service_acccount_email)
updated_credentials = service_account.Credentials(
signer, service_acccount_email, TOKEN_URI, scopes=scopes, subject=admin_user
signer, service_acccount_email, TOKEN_URI, scopes=scopes
)
# if not valid, refresh credentials
if not updated_credentials.valid:
Expand Down Expand Up @@ -538,13 +536,6 @@ async def run_groups_authn():
400,
)

admin_email = body.get("admin_email")
if admin_email is None or type(admin_email) is not str:
return (
"Missing or incorrect type for required request parameter: `admin_email`",
400,
)

# try reading in private_ip param, default to False
private_ip = body.get("private_ip", False)
if type(private_ip) is not bool:
Expand All @@ -555,10 +546,10 @@ async def run_groups_authn():

# grab default creds from cloud run service account
creds, project = default()
# update default credentials with IAM SCOPE and domain delegation
iam_creds = delegated_credentials(creds, IAM_SCOPES, admin_email)
# update default credentials with IAM SCOPE
iam_creds = get_credentials(creds, IAM_SCOPES)
# update default credentials with Cloud SQL scopes
sql_creds = delegated_credentials(creds, SQL_SCOPES)
sql_creds = get_credentials(creds, SQL_SCOPES)

# create UserService object for API calls
user_service = UserService(sql_creds, iam_creds)
Expand Down
Morty Proxy This is a proxified and sanitized view of the page, visit original site.